The world at large has been paying increasingly close attention to the issue of cyber security in recent years, and the issue hit global headlines thanks to the WannaCry cyber-attack earlier in 2017.
At best, a cyber-attack or virus is inconvenient, at worst it can lock you out of your computer, hold important files to ransom or result in the leaking of sensitive or confidential information.
Adopting stringent cyber security measures is crucial no matter the size of your business.
An attack you can’t defend against could not only cause chaos for your business, but could also lead to customers and partners facing subsequent attacks from malicious sources.
In this article, we’ll be looking at the ways your business can be assaulted electronically, as well as how you can combat digital threats.
When it comes to contracting computer viruses, one of the most common ways is through email attachments.
While most bogus emails can be spotted a mile away, there are some that push the envelope in terms of looking genuine. For every message about miracle medicine and bank accounts you don’t have, there are some that are too close to call with confidence.
Thanks to changes in how email works, you’re not guaranteed to trigger a virus just from opening an email nowadays, but it is still better to be safe than sorry.
A bogus email attachment could carry any number of harmful programs, including ones that destroy your files, those that track your activities or programs that turn your own email account into a source of further spam and virus emails.
The worst of these is the dreaded ‘ransomware’, which physically prevents you from accessing files by demanding a ransom.
In a similar vein to the basic virus email is a ‘phishing’ communication. This takes the form of a legitimate-looking email that directs you to enter key personal details – you might, for instance, be prompted to log in to your Amazon account.
However, while the page you submit your log in details to may look genuine, it’s just a replication, and your details have actually just been captured by an unknown party.
On the low end of the scale, this could lead to more personalised ads being directed at you – at the other end, if you give away card details then the perpetrators could go on a spending spree.
This is exemplified in ‘man in the middle’ attacks. These involve the attacker impersonating a bank or business, so that you end up paying the criminal instead of the intended recipient.
Password cracking is another way in which cybercriminals can access your personal details, accounts and information.
While it might take a while, an attacker eventually working out your password could lead to compromised accounts across a range of websites, depending on whether you use the same codes regularly.
‘Malvertising’ and rogue software are additional threats that your Business might encounter.
The first is similar to a virus email, in so much as it risks your computer being infected if you click on a dodgy link or advert while browsing the web.
Operating on the same kind of principle, rogue software is a virus or malicious program that purports to be an essential way of counteracting cyber-attacks, but is in reality another way of infecting your system with all kinds of unwanted programs.
Ensuring your business has adequate protection in place to defend itself from a virus or hacking attempt can appear daunting, but there are a number of ways in which you can maximise your security.
At a very basic level, installing a reputable and recommended virus protection program will cover multiple bases at once.
There are plenty of reviews of notable antivirus packages, as well as dedicated comparison sites that rank big-name software according to different criteria, so do your research and pick one that offers the level of protection you need.
There are free antivirus packages available as well as paid-for programs, but in the interests of safety, the benefits of more established software can be well worth the outlay.
Common sense is often the best remedy to the issue of bogus emails, as if something looks too good to be true, it generally is.
Staying alert and pausing before opening a message is the best way of weeding out the authentic-looking trap emails. Read subject lines carefully, pay attention to the sender, and if you do happen to open the email and click any link provided, check the URL to make sure it’s the genuine article.
To get down to particulars, if you’re expecting a parcel to be delivered by courier but Royal Mail seem to have gotten hold of it, hold off on opening the ‘new’ message before checking it first.
Likewise, an email or message from your bank should set alarm bells ringing if it asks for confidential information, given that real banks will rarely (if ever) ask for it.
There are some infected emails that might be opened by mistake – in this case you should make sure that both your operating system (OS) and virus protection are up to date; if they aren’t, new or different versions of viruses could slip through the filters.
Close scrutiny is also the best line of defence against phishing – consider whether the contacting company would really ask for deeply personal or irrelevant information and you could catch out an attempt to steal your details.
While devoting time to checking communications does require a bit of legwork on your end, you can also verify if a suspicious message is genuine by phoning up the company in question.
It’s important to get the company’s number independently, as if you phone the number on a bogus email, it will inevitably lead to an agreeable representative of those trying to ‘phish’ your details.
If you run a small business and aren’t certain staff are being as scrupulous with their checking as they should, send frequent reminders to keep them on the alert and supply additional training in the area of cybersecurity if necessary.
Depending on your budget and resources, you should also implement an email security system that verifies the origin of messages, makes it clear when they are from a safe source and blocks them when they aren’t.
Passwords are attached to almost everything these days, so a recent change in attitude towards this basic level of security may come as a relief to many.
In the past, the recommendation has been to make your password up of letters, special characters and numbers, which can lead to difficult-to-remember combinations.
Additionally, security experts and IT professionals have pushed for expiring passwords; that is, ones that need to be changed every few weeks, for example.
As part of its new guidelines, however, the National Institute of Standards and Technology (NIST) has dismissed this old guidance, arguing that it is needlessly complicated and could actually be a security risk.
Instead, the US body recommends that a series of random words can be better than one word with letters substituted for numbers, as it is harder to ‘crack’.
Additionally, the NIST believes that frequent password changes can diminish your security, as you may be changing from a ‘strong’ password to a ‘weak’ one.
This is all good news for those that struggle to remember the random strings or nonsense words that they used in the first place, and is widely seen as a sensible solution that makes effective security quicker and easier to implement.
Although there are plenty of password ‘strength checkers’ on the internet, experts are on the fence about whether they are actually safe. The basic takeaway from NIST’s research is to use a string of random, long words that you can remember, that you haven’t used elsewhere online before.
On this most-dreaded of cyber-attacks, ransomware, experts say that it’s a bad idea to give in and pay the hackers. According to the team behind No More Ransom, a Europol-backed project;
‘The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that [their] ransomware works, and there’s no guarantee you’ll get the decryption key you need in return’.
Further rejecting the idea of coughing up for your files has been Professor Alan Woodward, security expert at the University of Surrey. Looking at ransomware in the wake of high-profile cases like the attack on the NHS, Woodward believes that;
‘I very much doubt anyone would return your contact request [for file decryption], bearing in mind the attention that is now on this.
If anyone pays this ransom they are more than likely going to send Bitcoin that will sit in an address for ever more. [There is] no point’.
If you are unfortunate enough to be caught by ransomware, there are a few niche get-outs. Writing for PC World, Eric Geier suggests using a system restore point to before the ransomware was introduced.
Another good practice is to repeatedly back up files to a physical hard drive, just in case something happens to your computer that can’t be easily fixed.
There are a few tips that don’t fit specifically into the above areas, so here are some general rules to help improve your security and minimise the damage of a successful attack.
Some viruses can steal customer data or personal details – one way to limit the damage if this is occurs is to only keep the details you actually need to do business and to delete old client records after a set period of time – keeping data ‘clean’ and updating it regularly is also essential if you want to comply with data handling regulations.
To improve overall website security, avoid navigating to unsecure/fraudulent websites – antivirus software will often pick these up because of a lack of HTTPS certification (the green padlock in the search bar).
You can also improve the reputation of your own site by making it HTTPS-secure, which is done by meeting criteria like having an authenticated site with encrypted data.
If a virus does make it through, make sure you have a backup plan – it can be a good idea to segment your network. This essentially funnels activity into specific parts of the network, meaning that you can quickly identify and deal with any malicious programs.
On the same preventative line, you can make sure that staff are only accessing areas of the internet essential to their employment, rather than giving them unlimited access.
While it might cause a bit of grumbling, this is a good way of reducing the risk of them stumbling on to sites that pose a security risk.
Going a step further, you can ‘lock down’ the company’s computer network by preventing external access, so potential virus introducers like USB sticks and phones accessing Wi-Fi can’t threaten the system.
Virus protection and cyber security is constantly evolving, as is the sophistication of cyberattacks, but by staying alert to the issue and regularly auditing your business’ approach to defence, you can protect yourself and your customers.
© TorFX. Unauthorised copying or re-wording of this blog content is prohibited. The copyright of this content is owned by Tor Currency Exchange Ltd. Any unauthorised copying or re-wording will constitute an infringement of copyright.